Posted by Suraj A. Vyas | 5 minute read

GDPR compliant? Facebook and Google selling your data? Let's give you the quick summary so you can explain those influx of emails to all of your friends and relatives. You'll even be able to tell your European contacts why they aren't able to access certain websites anymore.

What is happening?

The European Union just implemented a new law called "General Data Protection Regulations" (GDPR for short). Even though it's a European law, many of the websites we all check daily have contact with the international community and so they've had to make the changes for their European audience in order to remain compliant. All personal data stored in or transferred in or out of the European Union must comply with these regulations. It's either changing their privacy policy or getting penalized...or making your site inaccessible to European users (yup, that's a thing).

With how much money these companies make, do the companies even care about the penalties? They probably would make more selling our data than the fine would cost them.

Most companies seem to care quite a bit. Just look at the bombardment of emails you've probably been getting as evidence of how many of these companies care. As an example, a company could be fined €20 million if they didn't take enough steps to prevent a data breach or be fined 4% of their global revenue for noncompliance with the regulations.

The Facebook hearing thing happened in America though. Why is Europe getting involved?

Funnily enough, GDPR has nothing to do with the recent Facebook/Cambridge Analytica scandal. GDPR has been in the works for years and the Facebook thing is a total coincidence.

Okay, but how is the EUROPEAN Union going to sue and get money from Facebook, an AMERICAN company?

Well, if the company has a physical presence in Euorpe, it's a lot easier and pretty simple since the country they're located in can take them to court. However, it does get more complicated for companies without a physical presence in Europe. That's when we enter the realm of international law. With the strong relationship between the US and EU, it's likely the US would be willing to help the EU in making sure companies that are managing European data will abide by GDPR. Although, to be perfectly honest, it's not required and as its' own sovreign country, the US could turn its back on the EU.

Fine. So, what does GDPR even do?

Essentially, it's supposed to give Europeans more control over the data that all these online websites collect about them, but it'll actually lead to worldwide changes since all these companies are changing their privacy policies worldwide. Basically, companies have to be able to show consumers what data they have collected about them and also be able to delete upon request of the consumer. They also have to explicitly ask the consumer for permission before collecting any data from them. This is a huge change because it shifts data sharing rules to an "opt-in" rather than "opt-out" rule. Most importantly of all: Companies must inform users if a breach occurs within 72 hours of the breach. After the major screw ups from Equifax to Uber to Yahoo, this is great news for users to just be in the know.

For a full list of what companies need to do, check out this link.

For the full text of the law, click this link.